Thursday, August 25, 2016

Word Games: What the NSA Means by “Targeted” Surveillance Under Section 702

We all know that the NSA uses word games to hide and downplay its activities. Words like "collect," "conversations," "communications," and even "surveillance" have suffered tortured definitions that create confusion rather than clarity.

There’s another one to watch: "targeted" v. "mass" surveillance.

Since 2008, the NSA has seized tens of billions of Internet communications. It uses the Upstream and PRISM programs—which the government claims are authorized under Section 702 of the FISA Amendments Act—to collect hundreds of millions of those communications each year. The scope is breathtaking, including the ongoing seizure and searching of communications flowing through key Internet backbone junctures,[1]the searching of communications held by service providers like Google and Facebook, and, according to the government's own investigators, the retention of significantly more than 250 million Internet communications per year.[2]

Yet somehow, the NSA and its defenders still try to pass 702 surveillance off as "targeted surveillance," asserting that it is incorrect when EFF and many others call it "mass surveillance."

Our answer: if "mass surveillance" includes the collection of the content of hundreds of millions of communications annually and the real-time search of billions more, then the PRISM and Upstream programs under Section 702 fully satisfy that definition.

This word game is important because Section 702 is set to expire in December 2017. EFF and our colleagues who banded together to stop the Section 215 telephone records surveillance are gathering our strength for this next step in reining in the NSA. At the same time, the government spin doctors are trying to avoid careful examination by convincing Congress and the American people that this is just "targeted" surveillance and doesn’t impact innocent people.

Section 702 Surveillance: PRISM and Upstream

PRISM and Upstream surveillance are two types of surveillance that the government admits that it conducts under Section 702 of the FISA Amendments Act, passed in 2008. Each kind of surveillance gives the U.S. government access to vast quantities of Internet communications.[3]

Upstream gives the NSA access to communications flowing through the fiber-optic Internet backbone cables within the United States.[4] This happens because the NSA, with the help of telecommunications companies like AT&T, makes wholesale copies of the communications streams passing through certain fiber-optic backbone cables. Upstream is at issue in EFF’s Jewel v. NSA case.

PRISM gives the government access to communications in the possession of third-party Internet service providers, such as Google, Yahoo, or Facebook. Less is known about how PRISM actually works, something Congress should shine some light on between now and December 2017.[5]

Note that those two programs existed prior to 2008—they were just done under a shifting set of legal theories and authorities.[6] EFF has had evidence of the Upstream program from whistleblower Mark Klein since 2006, and we have been suing to stop it ever since.

Why PRISM and Upstream are "Mass," Not "Targeted," Surveillance

Despite government claims to the contrary, here’s why PRISM and Upstream are "mass surveillance":

(1) Breadth of acquisition: First, the scope of collection under both PRISM and Upstream surveillance is exceedingly broad. The NSA acquires hundreds of millions, if not billions, of communications under these programs annually.[7] Although, in the U.S. government’s view, the programs are nominally "targeted," that targeting sweeps so broadly that the communications of innocent third parties are inevitably and intentionally vacuumed up in the process. For example, a review of a "large cache of intercepted conversations" provided by Edward Snowden and analyzed by the Washington Post revealed that 9 out of 10 account holders "were not the intended surveillance targets but were caught in a net the agency had cast for somebody else."[8] The material reviewed by the Post consisted of 160,000 intercepted e-mail and instant message conversations, 7,900 documents (including "medical records sent from one family member to another, resumes from job hunters and academic transcripts of schoolchildren"), and more than 5,000 private photos.[9] In all, the cache revealed the "daily lives of more than 10,000 account holders who were not targeted [but were] catalogued and recorded nevertheless."[10] The Post estimated that, at the U.S. government’s annual rate of "targeting," collection under Section 702 would encompass more than 900,000 user accounts annually. By any definition, this is "mass surveillance."

(2) Indiscriminate full-content searching. Second, in the course of accomplishing its so-called "targeted" Upstream surveillance, the U.S. government, in part through its agent AT&T, indiscriminately searches the contents of billions of Internet communications as they flow through the nation’s domestic, fiber-optic Internet backbone. This type of surveillance, known as "about surveillance," involves the NSA's retention of communications that are neither to nor from a target of surveillance; rather, it authorizes the NSA to obtain any communications "about" the target.[11] Even if the acquisition of communications containing information "about" a surveillance target could, somehow, still be considered "targeted," themethod for accomplishing that surveillance cannot be: "about" surveillance entails a content search of all, or substantially all, international Internet communications transiting the United States.[12] Again, by any definition, Upstream surveillance is "mass surveillance." For PRISM, while less is known, it seems the government is able to search through—or require the companies like Google and Facebook to search through—all the customer data stored by the corporations for communications to or from its targets.

Seizure: Fourth Amendment and the Wiretap Act

To accomplish Upstream surveillance, the NSA copies (or has its agents like AT&T copy) Internet traffic as it flows through the fiber-optic backbone. This copying, even if the messages are only retained briefly, matters under the law. Under U.S. constitutional law, when the federal government "meaningfully interferes" with an individual’s protected communications, those communications have been "seized" for purposes of the U.S. Constitution’s Fourth Amendment. Thus, when the U.S. government copies (or has copied) communications wholesale and diverts them for searching, it has "seized" those communications under the Fourth Amendment.

Similarly, U.S. wiretapping law triggers a wiretap at the point of "interception by a device," which occurs when the Upstream mechanisms gain access to our communications.[13]

Why does the government insist that it’s targeted? For Upstream, it may be because the initial collection and searching of the communications—done by service providers like AT&T on the government’s behalf—is really, really fast and much of the information initially collected is then quickly disposed of. In this way the Upstream collection is unlike the telephone records collection where the NSA kept all of the records it seized for years. Yet this difference should not change the conclusion that the surveillance is "mass surveillance." First, all communications flowing through the collection points upstream are seized and searched, including content and metadata. Second, as noted above, the amount of information retained—over 250 million Internet communications per year—is astonishing.

Thus, regardless of the time spent, the seizure and search are comprehensive and invasive. Using advanced computers, the NSA and its agents can do a full-text, content search within a blink of an eye through billions, if not trillions of your communications, including emails, social media, and web searches. Second, as demonstrated above, the government retains a huge amount of the communications—far more about innocent people than about its targets—so even based on what is retained the surveillance is better described as "mass" rather than "targeted."

Yes, it is Mass Surveillance

So it is completely correct to characterize Section 702 as mass surveillance. It stems from the confluence of: (1) the method NSA employs to accomplish its surveillance, particularly Upstream, and (2) the breadth of that surveillance.

Next time you see the government or its supporters claim that PRISM and Upstream are "targeted" surveillance programs, you’ll know better.